[nsp-sec] battling open resolvers - 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6

Thu Apr 11 17:42:42 EDT 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm aware of this setting and I'm currently working with the
engineering product managers to try and improve our default configuration.

Steve, can I please forward your email internally? These stats are
useful in making a case. Does anyone (Jared?) have any statistics
taken from a larger sample size?

Thanks,
Rob.

On 04/11/2013 07:27 PM, Steve Colam wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Folks,
> 
> We'll I've just done a version lookup on the 5413 & 31290 data and
> something interesting has come up:
> 
> dig +time=0 +tries=1 +retry=0 @<host> -c CH -t txt version.bind
> 
> There are 5957 hosts currently listed (I've ignored the live
> timestamp)
> 
> For the hosts that didn't time out, this is a uniq -c | sort -rn |
> head -10 on the version data:
> 
> 927    "9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6" 83    "Unsupported on
> this platform" 51    "PowerDNS Recursor 3.2 $Id: pdns_recursor.cc
> 1538 2010-03-06 11:39:03Z ahu $" 40    "dnsmasq-2.52" 36
> "Microsoft DNS 6.1.7601 (1DB14556)" 32    "Microsoft DNS 6.0.6002
> (1772487D)" 31    "Nominum Vantio 5.2.0.1" 24    "9.2.4" 21
> "ZyWALL DNS" 13    "Microsoft DNS 6.1.7600 (1DB04228)"
> 
> 
> So - looks like we have a Redhat problem with default open
> resolvers.... based on our data, if we can get this RedHat resolver
> fixed, then 15% of the hosts are removed... a serious result if
> that applies to the rest of the open resolvers at large on the
> intertubes.
> 
> Does anyone have a contact at Redhat we can reach out to ?
> 
> Jared - can you share where you are getting your data from please
> and your thoughts on why it does not align with the Cymru data ?
> Also, is there an option to include some fingerprint info so we can
> look for other similar large quick wins ?
> 
> Cheers,
> 
> Steve @ AS5413
> 
> 
> 
> 
> 
> 
>>>>>> On Mon, 2013-03-25 at 09:54 -0400, Jared Mauch wrote:
>>>>>>> ----------- nsp-security Confidential --------
>>>>>>> 
>>>>>>> I have launched a public webpage for trying to close 
>>>>>>> the open resolvers down.  please provide me feedback in
>>>>>>> private, but check out the site here:
>>>>>>> 
>>>>>>> openresolverproject.org
>>>>>>> 
>>>>>>> This is free to share, as we are looking to get some of
>>>>>>> these IPs closed down.  We saw about 300G last night,
>>>>>>> so doing your part to help here is valuable...
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> 
>>>>>>> - Jared
> 

- -- 
Rob Lowe                      | Red Hat Asia-Pacific
Information Security Analyst  | http://www.redhat.com
Phone: +61 (0)7 35148244      | rlowe at redhat.com
5272 504B 6A97 415C 2EB2  E7B9 EDE4 0A83 CD9F E7A4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRZy5OAAoJEO3kCoPNn+ektqIQAJuK/bNEm5CLF1WNegNGHKNX
P/xVL6o+qxAaBFXL8y3IzDqwHPA+aB3YscEIsjGvXvJekJC/+j0JpHNBn7obXw+k
EiKZssYxaIxJRo/AWGOCHUzU/O1qh43tGz7j32MyU0I5BB2xbRzHPDTn1ffbZiZY
LHCKZ/glWgUv3iOaMOpm1/d/3HC6tA2v1XtD18dmCxGLUXJIXyaFdLlm9qbhfjf9
LexSNbFYTEsgax5/ChMqhx4LsBlTp1dTV/m58LRz7K+mmLsiszjdfKvcSZ3tPjc4
/fvYZHd8bYavSTJxBh6B0xbp+7kl6MqkEErv7auc0q2sR+l0QJ5+c+PQ35xIKMci
/Ll6c1Ol+CqE3SMXp51gl/NlAe6xKcJ11622tjG89pCfXUllD2McQg723gQxsQut
PacoMupeOMpODR+fFbxi8GC2C6SvitkjSKN2uSP5WH8u5djX7HGvXqlOLA4ADaPq
XrrCZnJIlSt56AaxAOPnX9zAxrLM/CYuCeE3X55GSTSOvYKiBQCcpit5w1IG4EZ3
jt1eoNajHCyrZhlOi9NCO8Oy//dWgEaXT+BApjUUE/dbE4lIOB4uBeL9POkLO0eY
39KNXIrM7fbq8BihE/o3pQXLsJ3h53VYBQxZpZT55CTm48FVOkBFmBcpoTgNr3sK
gSLO5quOr4OcGV8TXZI6
=C4VA
-----END PGP SIGNATURE-----